How to Use the Application Command Center (ACC)

by ‎10-29-2015 02:09 PM - edited ‎04-26-2017 02:15 PM (22,141 Views)

Learn how to use the Application Command Center (ACC) to monitor traffic and threat trends happening in your network.

 

Prerequisites

Before watching this video, we recommend reading Tips & Tricks: How to Use the ACC here:
https://live.paloaltonetworks.com/t5/Management-Articles/Tips-amp-Tricks-How-to-Use-the-Application-...

 

 

This is Joe Delio from the Palo Alto Networks Community team, bringing you a Palo Alto Networks Video Tutorial about the Application Command Center (ACC). I'll talk about the parts of the ACC and how to get more information from this powerful tool.

  

This video will help you understand how to use the ACC on PAN-OS 6.0 and 6.1. PAN-OS 7.0 changes the look and feel of the interface, which I will cover in a different segment of Tips & Tricks.

 

If you're watching on YouTube, please look in the details section below for the link to the Palo Alto Networks Live Community article for the full transcript, links to the Tips & Tricks article, and for slide decks.

 

Let's look at the parts of the Application Command Center and how to get more info from the ACC.


We will start with the Dashboard Tab:

 

ACC Risk Factor
Inside the WebGUI, on the Dashboard tab, you'll see ACC Risk Factor, which shows the risk factor over the last 60 minutes based upon information inside the ACC tab. This is a general 'threat temperature' of the traffic. If you find the temperature higher than normal, then you can use the main ACC to drill down and investigate what's causing the temperature rise. If you'd like to see this, and it is not being displayed on your Dashboard page, enable it from the Dashboard > Widgets > Application > ACC Risk Factor.

 

Top Applications

You also will see the 'Top Applications,' if you've enabled this widget, which displays applications having the most sessions. The block size indicates the relative number of sessions (mouse-over the block to view the number), and the color indicates the security risk—from green (lowest) to red (highest). Click an application to view its application information, as well as a full breakdown where that application has been seen inside the ACC page.

 

This is a great way to see, at a glance, the applications in use.


If you would like to see this, enable it from the Dashboard > Widgets at the top > Application > Top Applications.

 

Now let's move on to the ACC tab. On the ACC tab, you'll see the following sections that make up the Application Command Center:

  1. Time/Sort By/Top (at the top of the window)
  2. Application 
  3. URL Filtering
  4. Threat Prevention
  5. Data Filtering
  6. HIP Matches

 

1. Time/Sort By/Top
At the top of the window, you'll see the Time/Sort By/Top options, which controls all the display options inside the ACC.
You have options for the time that range from the last 15 minutes up until the Last Calendar Month, and even a Custom option. You can sort by number of Sessions, Bytes or Threats.
You have an option for the 'Top' (highest) number to display per section, ranging from 5 up to 500.

 

Press the green arrow to make your selection take effect.

The green plus sign is a 'Set Filter' option you can apply that allows you to filter by: 

  • Application
  • Source IP
  • Destination IP
  • Source User
  • Destination User
  • Machine Name
  • HIP
  • Source Zone
  • Destination Zone
  • Risk
  • URL Category

 

Adding a filter comes in handy if you're looking for something specific.

 

Also note that you'll see the same 'ACC Risk Factor' in the upper right, as well as a set of 5 icons, which are shortcuts to logs, in the following order:

  • Traffic Log
  • Threat Logs
  • URL Filtering Log
  • Data Filtering Log
  • HIP Match Log

These shortcuts come in handy when you'd like to jump straight to the Threat logs, but don't want to select Monitor > Threat logs.

 

2. Application
First section you will see is the Application section.

This section displays information organized according to the menu selection. Information includes the number of sessions, bytes transmitted and received, number of threats, application category, application subcategories, application technology, and risk level, as applicable.

 

The following subcategories are available by using the drop-down on the right side:

  • Applications
  • High Risk Applications
  • Categories
  • Sub Categories
  • Technology
  • Risk

 

Here's where you can start investigating questionable traffic passing through your network, in or out, by selecting the Application name, or by using the drop-down to look at the Application data differently.

 

For example, let's say that 'msrpc' traffic is high, and you want to know more about this traffic. Simply click on msrpc and you'll  see the following: 

 

  • Application Informationgeneral information about the application, including its Name, Description, and all other information specifically for this application and how it communicates.
  • Top Applications—shows session and bytes information
  • Top Sources
  • Top Destinations
  • Top Source Countries
  • Top Destination Countries
  • Top Security Rules
  • Top Ingress Zones
  • Top Egress Zones
  • URL Filtering
  • Threat Prevention
  • Data Filtering

 

You can continue to click on each area to get more detailed information. You can continue to click on each area to get more detailed information. Sometimes the information you need is only one click down—more involved investigations might take make more drill-downs to get the information you need.

 

3. URL Filtering

Displays information organized according to the menu selection. Information includes the URL, URL category, repeat count (number of times access was attempted, as applicable).

  • URL Categories
  • URLs
  • Blocked URL Categories
  • Blocked URLs

This is a great way to see what URL filtering categories are being used.

 

4. Threat Prevention

Displays information organized according to the menu selection. Information includes threat ID, count (number of occurrences), number of sessions, and subtype (such as vulnerability), as applicable.

The following sections are available:

  • Threats
  • Types
  • Spyware
  • Spyware Phone Home
  • Spyware Download
  • Vulnerabilities
  • Viruses

Those wanting to know about the Threat Prevention will like this section with the amount of information that it can show you.

 

5. Data Filtering

Displays data from the data filtering policy that has been created.

The following sections are available:

  • Content/File Types
  • Types
  • File Names

If you use data filtering, this comes in handy to quickly show how many files are created and the repeat count of each type.

 

6. HIP Matches

This area displays Host Information Protocol information gathered from GlobalProtect.

The following sections are available:
• HIP Objects
• HIP Profiles

 

If you're using HIP with GlobalProtect, then this area can prove very helpful. 

 

I hope this video tutorial has helped you understand the Application Command Center better, as well as provide you with some insight into better ways to access and use the information in the ACC.

 

That concludes this video tutorial. We hoped you enjoyed this video, and thanks for watching.

 

We welcome all feedback below, so don't be shy.

 

Stay secure!

Joe Delio

Comments
by rossghanim
on ‎04-09-2018 10:35 PM

I would like to know where the user go to what site that user is going to.  I am right on ACC I see the User Activity under Network Activity and able to contact the user and let him know that he is using how much bandwdith.  He will ask me what site that he was visiting or my manager might ask me this.  if I click on the Source User it is not giving me details where that user is going to what site he or she is visiting.   How can I do that?

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors